Upload
jan-dhont
View
118
Download
4
Embed Size (px)
Citation preview
Governance and Accountability under the GDPR
November 2, 2016
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 2
Speakers
Peter SwireSenior Counsel, Atlanta
Alston & Bird
Jan DhontPartner, Brussels
Alston & Bird
David KeatingPartner, Atlanta
Alston & Bird
Peter CullenExecutive Strategist
Information Accountability
Foundation
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 3
Overview
Program Introduction
Topic Overview
History and Context of Accountability | Why Does it (and Did it) Matter to Business?
Accountability under the GDPR | Practical Considerations
Where is the Accountability Trend heading?
Q&A
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 4
Topic Overview
-- Peter Swire --
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 5
History and Context of Accountability | Why Does it (and Did it) Matter to Business?
-- Peter Cullen
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 6
History of Accountability
1980 – OECD Privacy Guidelines
2000 – Canada Private Sector Privacy Legislation
2004 – APEC Privacy Framework
2009 – Essential Elements of Accountability (Global Accountability Dialogue)
2010 – EU Working Party 29 accountability opinion
2012 – Canadian guidance on accountability
2014 – Hong Kong guidance
2015 – Colombia guidance
2016 – EU General Data Protection Regulation
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 7
1. Corporate commitment to internal policies (codes of conduct) that link to external criteria – data protection law
2. Mechanisms to put those policies into effect, including identifying risk to individuals and mitigating those risks (privacy-by-design)
3. Internal monitoring to assure mechanisms work
4. Individual participation – transparency; consent (where effective)
5. Standing ready to demonstrate to a regulator on request and remediation where necessary
Essential Elements of Accountability
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 8
Accountability under the GDPR | Practical Considerations
-- Jan Dhont
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 9
GDPR’s Trinity of Effective Data Protection
Accountability
Enhanced Data Protection
Rights
Increased Enforcement and
Sanctions
Accountability is about Effective Data Protection
GDPR’s Trinity of Effective Data Protection
Controllers/Processors
Individuals Supervisory Authorities
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 10
Accountability
Embodies elements of the WP29 Opinion on Accountability (3/2010)
“Take appropriate and effective measures to implement data protection principles”
Need “to demonstrate upon request such appropriate and effective measures have been taken and provide evidence”
Measures are not defined by WP29 but scalable in function of risk
“The expected effects of [accountability] would include the implementation of internal measures and procedures putting into effect existing data protection principles, ensuring their effectiveness and the obligation to prove this should data protection authorities request it.”
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 11
Accountability under the GDPR
Article 24: “controller shall implement appropriate technical and organizational measures to ensure and be able to demonstrate that processing is performed in accordance with [the GDPR].” Review and update and measures “where necessary”
Appropriate data protection policies
Article 5 : “The controller shall be responsible for, and be able to demonstrate compliance with [principles relating to data processing]” (lawfulness, fairness and
transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality)
Non-compliance with the accountability principle is subject to maximum fines of 20 MM EUR or 4 percent of the turn-over of the undertaking, whichever is higher (Art 83 (5)).
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 12
“Accountability-Related” Measures
Data Privacy Impact Assessments for “high risk processing” (Art. 35)
implement data protection by design and by default (Art. 25)
Appoint a DPO in some cases (Art. 37)
Obligation to keep data processing records (Art. 30)
Specific requirements to demonstrate compliance with obligation to: track consent and demonstrate validity of consent (Art. 7)
provide information on action taken on requests relating to data subject rights (Art. 12)
document breaches and assessment that notification to Supervisory Authorities is not required (Art. 33 (5))
document “compelling legitimate interests” to reject the data subject’s objection to processing (Art. 21 (1))
assess and document safeguard measures for ad hoc data transfers (Art. 49 (1)(g)
provide instructions to data processors; these need to be “documented” (Art. 28 (3)(a))
Minimalist v. Maximalist Approach.
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 13
Accountability Requires Effective Privacy Program
Policies: Information practices must be covered by adequate policies reflecting GDPR obligations (e.g., HR, consumer/customer, vendor/supplier, IT & Info sec, breach response, data retention, online/offline)
Procedures: Accountability may require revision of processes and procedures to ensure effective implementation of policies (e.g., administration of rights, breach response, vendor management, audit protocols, access management, PIAs/DPIAs)
Controls: Effective/recurrent auditing and complaint handling
Documentation: Build system inventory; keep records required for provision to Supervisory Authorities; document (i) administration of rights, (ii) audit cycles and actions taken, (iii) complaint handling and follow-up, (iv) “accountability-related measures” (breach, consent, …)
Privacy by design/default
Accommodation of privacy rights
Information security
DPO
Staffing/Privacy Personnel
Awareness and training
Legal/Policy IT/System Personnel
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 14
Accountability Drives Need for Inventory
Process/System Inventory
- What data are we collecting?
- What is the purpose of collection?
- How are we processing the data?
- What is the legal basis for each processing operation?
- Where is the data stored?
- How long are we retaining the data?
- Who has access to the data?
- Where is the data transferred?
Feeds record productionController must maintain records of all processing including breaches – including
processing or breaches of service providers/vendors (Art. 30)
Provides overview of Policies and Procedures- Controller must implement appropriate & effective policies/processes (Art. 24)
- Controller must know legal bases for processing to comply with objection rules (Art. 15-22)- Notices must now disclose (a) legal bases for processing; (b) legitimate interests pursued; (c)
retention periods; and (d) transfer recipients (Art. 13-14)- Controllers need overview to decide if consent is required (art. 7)
Provides overview of effective governance and action areas- Capability to demonstrate compliance with core data privacy principles (Art. 5 (2))
- Privacy By Design/PIAs/Effective Vendor Management
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 15
Accountability Drives the Need for PIAs and DPIAs
PIAs are essential tool to ensure accountable data processing
Consider a “two-tier” approach PIAs for all information systems (as default/possible to include thresholds) DPIAs for “high risk” processing as required by the GDPR
PIAs can be instrumental to ensure basic understanding of core processes and related facts (storage
location, data flow, core purposes and functionalities, etc.) address privacy-by-design/default help achieve compliance with the general privacy principles ensure effective implementation of data subject rights address effective vendor management address information security confirm coverage by applicable policies/procedures/notices
PIAs can “feed” inventory as tool to create oversight
“High Risk Processing” includes inter alia:
- Automated decision-making, or profiling with significant effects
- Large scale sensitive data processing
Systematic monitoring of “a publicly accessible area on a large scale” (Art. 35)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 16
Tips
- Provide for policies and procedures that establish criteria in advance for addressing compliance requirements and their operationalization
- Maximize documentation of actions that help demonstrate thoughtfulness and compliance, e.g.:- Interaction with individuals and feedback provided, for instance, in context of rights management- Complaint handling - Provision of notices- Audits conducted and subsequent compliance efforts- Vendor vetting
- Consider automation where possible, e.g.:- Rights managements (preference settings, means to access and rectify information, present notices, etc.)- Default PIA processes and documentation/escalation processes- Systems inventory and processing records
- Ensure timely action and handling of requests/complaints:- Controller must provide information on status of rights handling – feedback required within 1 month- Contain complaints and avoid escalation to Supervisory Authorities
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 17
Accountability for Processors
Processors are subject to “accountability-related” requirements:
- Records of processing activities under its responsibility” (Art. 30 (2))
- DPO appointment (Art. 37)
The market is expected drive accountability initiatives to build customer trust and secure commercial interests
Accountability obligations seem to apply primarily to controllers -- however:
Processors have direct liability under the GDPR and therefore should be in a position to demonstrate compliance with obligation to:
- provide for appropriate technical and organizational measures to ensure a level of security “appropriate to the risk” (Art. 32) - apply “flow down” provisions to sub-contractors (Art. 28(4))- inform controller of a data breach without “undue delay” after becoming aware (Art. 33)- appoint a representative in case of extra-territorial application (Art. 27)- ensure compliant transfer mechanism for export of personal data (Art. 44)
Processors must be contractually liable vis-à-vis controllers to “make available to the controller all information necessary to demonstrate compliance with the obligations in the data protection contract” (Art. 28 (3)(h))
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 18
CNIL Privacy Label Program
- Addresses accountability and sets forth key building blocks for a privacy program
- Provide for internal and external facing policies; ensure review at least every 3 year
- Central role of DPO – approval of policies, training and funding
- DPO must be involved in key projects
- Validation processes and risk assessments …
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 19
Accountability Tools
Certification programs (Art. 42)
Codes of conduct (Art. 40)
Binding Corporate Rules (Art. 47)
“Adherence to approved codes of conduct […] or approved certification mechanisms […] may be used as an element by which to demonstrate compliance with the obligations of the controller” (Art. 24 (3), stress added).
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 20
Robust Privacy Governance for BCRs
20
Privacy Governance Structure
Policy
Implementation
Effectiveness
GROUP’S GLOBAL PRIVACY POLICY
Control
AUDIT PROGRAM
EFFECTIVE COMPLIANCE MEASURES
PROCESSES & PROCEDURES
HR Data & Privacy
Policy
Vendor & Supplier Data
Privacy PolicyCustomer Data Privacy
Policy
0Privacy
Notices
Employee
Policies &
Confidentia
lity Clauses
Map Data
Processing
Activities &
Data Flows
IT
Security0 0Third Party
Relations 0 0Roles &
Responsibil
ities
Data
Quality/
Breach
Response
Training
& Testing
Complaint
& Reqest
Handling
Network
of Privacy
Officers &
Staff
Sanction
Mechanism
PIA &
Template
Contacts for
3rd Parties
Cooperation
with DPA’s
Internal and/or External Annual Audit Ad Hoc Investigations
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 21
Accountability and Liability
Accountability obligation to “demonstrate compliance” with data privacy principles is subject to maximum fines
A strong governance program is a factor that can be taken into account by the Supervisory Authorities when fining (Art. 83 (d))
A strong governance program will promote effective prevention, detection and handling of incidents
Supervisory Authorities may have “immediate cause of action” in case information is not provided upon request (WP 29, Opinion 3/2010)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 22
Takeaways
Companies must be prepared to demonstrate compliance with each and every GDPR requirement
Focus not only on “accountability-related” measures, but consider a consistent privacy program that shows commitment to data privacy
Keep documentation on the effective administration of the program, showing that policies and procedures are not “dead matter”
Accountability helps to build trust and mitigate risk where full compliance may be quasi-impossible
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 23
Where is the Accountability Trend heading?
-- Peter Cullen
The explosion of data collection and use creates greater risk. Regulatory trends are growing faster than the controls in place to manage these risks.
24
Risk
Collection and Use of Information
Core product offering, limited PII
Core product offering, various PII plus personalization & consumer choice
Core product offering, various PII plus multiple data sources, analytics & personalization
Mergers, acquisitions, and new/updated consumer data collection, analytics and processing used to drive new products, new services, new personalization & insights, and increase in direct to consumer services
Data Collection & Use
Controls
Risk Gap
New Regulations
GDPRLegal Fair and Just
Public Expectations
Domestic/international regulatory & cultural changes
Increasing business complexity & data use
• Rapid changes in laws/standards across the world challenge pose compliance challenges
• Expansion of Regulatory approach and expectations into “fair and just” processing and use of data – broad range of rights and interests
• Public opinion is increasingly aware of privacy as a business issue
• Regulator scrutiny and authority is growing
• Increased focus on deriving new insights & opportunities through data
• New revenue streams based on data expand the business
• Expansion of use from PI to “all” data
• Growing risk profile associated with growing privacy-sensitive capabilities (IoT, Analytics, etc.)
As compliance obligations and regulatory scrutiny for privacy become more challenging for organizations, it’s increasingly important to promote the
development of effective, scalable and practical public policy to data privacy & governance obligations
Business Drivers Expanding the Risk Gap for Organizations
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 25
Business Risk
Data-driven innovation and the organizations that are dependent upon it are at risk from an information governance vacuum and how policy makers and regulators might fill it.
Put simply, the risk of having data and prohibitions on making innovative uses of that data is growing by the day and creating regulatory risk, customer trust risk and reticence risk; information will simply not be used because decision drivers are unclear.
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 26
Q&A
Thank you!
For more reading on privacy, see: http://www.alstonprivacy.com/
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 27
New York Webcast Participation
If you are requesting CLE credit in New York, please enter the following code on the Attorney Affirmation sheet. Refer to your webcast confirmation for a link to the sheet
[*]
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 28
About Alston & Bird’s Privacy and Data Security Practice:
Follow us: @AlstonPrivacy
www.AlstonPrivacy.com
Cybersecurity Preparedness & Response Team
Alston & Bird’s Cybersecurity Preparedness & Response Team specializes in assisting clients in
both preventing and responding to security incidents and data breaches, including all
varieties of network intrusion and data loss events.
www.alstonsecurity.com
Privacy & Data Security Team
Our team helps clients at every step of the information life cycle, from developing and
implementing corporate policies and procedures to representation on transactional
matters, public policy and legislative issues, and litigation.
www.alston.com/privacy
Questions